Hello. I have spent the past week repeatedly trying to use Entra ID with Azure VM's. I have tried these methods so far:
-Sign in using passwordless authentication with Microsoft Entra ID
-Sign in using password/passwordless authentication with Microsoft Entra ID (using a web account)
-Sign in using the Bastion
The instructions I was following are here: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows
I have also experimented with Entra domains, but they appear to have been unnecessary, as my test VM's have been joining with Entra automatically when I specify Entra login during creation. They also, incidentally, don't work, but this may be because I don't have a P2 subscripton.
Here's the output from dsregcmd /status:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : EntraTestVM
+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+
DeviceId : 0e7ee404-ec52-43cf-b356-29740e7bb3b2
Thumbprint : 34896559A93C672E2492262D706855CAF6C80148
DeviceCertificateValidity : [ 2026-06-30 15:42:21.000 UTC -- 2036-06-30 16:12:21.000 UTC ]
KeyContainerId : af0531e2-0751-4797-a2fb-1e2c0311ef00
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
DeviceAuthStatus : SUCCESS
+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+
TenantName :
TenantId : 2d283d78-981b-4659-945e-b466da8398b1
AuthCodeUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/authorize
AccessTokenUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 3.0
JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion : 1.0
KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/2d283d78-981b-4659-945e-b466da8398b1/
WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/2d283d78-981b-4659-945e-b466da8398b1/
DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net
KerbSpn : adrs/enterpriseregistration.windows.net
KerbUrl : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/kerberos
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : NO
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
AcquirePrtDiagnostics : PRESENT
Previous Prt Attempt : 2026-06-30 19:39:30.371 UTC
Attempt Status : 0xc0000072
User Identity : ******@----------.onmicrosoft.com
Credential Type : Password
Correlation ID : e456674b-458e-4df0-b925-d83952ee4067
Endpoint URI : https://login.microsoftonline.com/2d283d78-981b-4659-945e-b466da8398b1/oauth2/token
HTTP Method : POST
HTTP Error : 0x0
HTTP status : 400
Server Error Code : invalid_grant
Server Error Description : AADSTS50034: The user account {EUII Hidden} does not exist in the 2d283d78-981b-4659-945e-b466da8398b1 directory. To sign into this application, the account must be added to the directory. Trace ID: c90d857a-6347-43a6-a9b0-e2543aa51b00 Correlation ID: e456674b-458e-4df0-b925-d83952ee4067 Timestamp: 2026-06-30 19:39:30Z
EnterprisePrt : NO
EnterprisePrtAuthority :
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : EntraTestVM\azureuser
KeySignTest : PASSED
DisplayNameUpdated : YES
OsVersionUpdated : YES
HostNameUpdated : YES
Last HostName Update : NONE
+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+
Auto Detect Settings : YES
Auto-Configuration URL :
Proxy Server List :
Proxy Bypass List :
+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+
Access Type : DIRECT
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision
According to the official instructions linked to above, the configuration indicated should be sufficient for Entra ID to work. However, I have now built over 10 VMs, with new VNets and resource groups each time, and no matter how many times I have modified the settings, according to forum posts, YouTubes, and so on, nothing works. Could this be a problem at the subscription level, or something along those lines?
Microsoft have been completely unwilling to help with this, and have referred me to an AI that claimed my deployments failed, something that hasn't happened in a single case (and the logs confirm this).
Clearly, some people on this forum use Entra ID, correct? It seems nearly impossible to use, simply because following standard Microsoft instructions produces no results. I could tinker with nonstandard configurations on these VMs for weeks, as is recommended on various forums, but the point of Entra, and of Azure, is to be more plug-and-play than that, correct?